I have an IDS 4210, with 4.x running on it. I recetly purchased it and testing it these days.
when i run a port scanner on my network the alarms are generated on the IDS.But, when i come the next day and look at the IDS viewer all the alarms are gone?? is their anyway i can preserve these alarms?
Also, could someone tell me the practical use of "IP LOGGING" Feature of the IDS. Does it enable IDS to collect extra data when it sees an alarm. Can i configure it to start logging when it sees a specific signature. Any feedback would be highly appreciated.
To automatically start an iplog when a signature fires you will need to configure the signature and select the action "log" for EventAction.
When an iplog is started it will capture all of the packets to and from the address and place them into a binary log file. This binary log file is in a libpcap format and can be read by most sniffers (including tcpdump and ethereal).
The easiest way to download an iplog file is through IDM:
Why is this usefull. Quite often a user will ask what happened after a hacker was able to acess their network. This log file will show what ocurred after the alarm from that attacker ip address.
Other users have also used the iplog feature to determine whether or not an alarm was a false positive or a real attack.
NOTE: For users who don't need to look into a lot of packets, there is a feature in 4.1 known as "trigger packet". Unlike iploggin which captures the packet that caused the alarm as well as several packets afterwards, the "trigger packet" option will simply attach an encoded version of the one trigger packet directly to the alarm itself.
The "trigger packet" is viewable within IEV when looking at an alarm:
For configuring the "trigger packet" you will set the signature parameter 'Capture Packet" to True for the particular signature.
For viewing the "trigger packet" use the "show captured packet" option:
Your events are not gone the next day, they have been simply archived. I believe the default is to archive the events at midnight each day. Which I believe is a bad idea since an attack could occur at 11:00pm and the next day when you look they have been archived, and you may never know. I set mine to 6pm, so shortly after I leave work, they are archived.
You can go into EDIT>PREFERENCES and adjust the archive setting there.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :